Hashing data is security-sensitive. It has led in the past to the following vulnerabilities:

Cryptographic hash functions are used to uniquely identify information without storing their original form. When not done properly, an attacker can steal the original information by guessing it (ex: with a rainbow table), or replace the original data with another one having the same hash.

This rule flags code that initiates hashing.

Ask Yourself Whether

You are at risk if you answered yes to the first question and any of the following ones.

Recommended Secure Coding Practices

Sensitive Code Example

// === MessageDigest ===
import java.security.MessageDigest;
import java.security.Provider;

class A {
    void foo(String algorithm, String providerStr, Provider provider) throws Exception {
        MessageDigest.getInstance(algorithm); // Sensitive
        MessageDigest.getInstance(algorithm, providerStr); // Sensitive
        MessageDigest.getInstance(algorithm, provider); // Sensitive
    }
}

Regarding SecretKeyFactory. Any call to SecretKeyFactory.getInstance("...") with an argument starting by "PBKDF2" will be highlighted. See OWASP guidelines, list of standard algorithms and algorithms on android.

// === javax.crypto ===
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.SecretKeyFactory;

class A {
    void foo(char[] password, byte[] salt, int iterationCount, int keyLength) throws Exception {
        // Sensitive. Review this, even if it is the way recommended by OWASP
        SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA512");
        PBEKeySpec spec = new PBEKeySpec(password, salt, iterationCount, keyLength);
        factory.generateSecret(spec).getEncoded();
    }
}

Regarding Guava, only the hashing functions which are usually misused for sensitive data will raise an issue, i.e. md5 and sha*.

// === Guava ===
import com.google.common.hash.Hashing;

class A {
    void foo() {
        Hashing.md5(); // Sensitive
        Hashing.sha1(); // Sensitive
        Hashing.sha256(); // Sensitive
        Hashing.sha384(); // Sensitive
        Hashing.sha512(); // Sensitive
    }
}
// === org.apache.commons ===
import org.apache.commons.codec.digest.DigestUtils;

class A {
    void foo(String strName, byte[] data, String str, java.io.InputStream stream) throws Exception {
        new DigestUtils(strName); // Sensitive
        new DigestUtils(); // Sensitive

        DigestUtils.getMd2Digest(); // Sensitive
        DigestUtils.getMd5Digest(); // Sensitive
        DigestUtils.getShaDigest(); // Sensitive
        DigestUtils.getSha1Digest(); // Sensitive
        DigestUtils.getSha256Digest(); // Sensitive
        DigestUtils.getSha384Digest(); // Sensitive
        DigestUtils.getSha512Digest(); // Sensitive


        DigestUtils.md2(data); // Sensitive
        DigestUtils.md2(stream); // Sensitive
        DigestUtils.md2(str); // Sensitive
        DigestUtils.md2Hex(data); // Sensitive
        DigestUtils.md2Hex(stream); // Sensitive
        DigestUtils.md2Hex(str); // Sensitive

        DigestUtils.md5(data); // Sensitive
        DigestUtils.md5(stream); // Sensitive
        DigestUtils.md5(str); // Sensitive
        DigestUtils.md5Hex(data); // Sensitive
        DigestUtils.md5Hex(stream); // Sensitive
        DigestUtils.md5Hex(str); // Sensitive

        DigestUtils.sha(data); // Sensitive
        DigestUtils.sha(stream); // Sensitive
        DigestUtils.sha(str); // Sensitive
        DigestUtils.shaHex(data); // Sensitive
        DigestUtils.shaHex(stream); // Sensitive
        DigestUtils.shaHex(str); // Sensitive

        DigestUtils.sha1(data); // Sensitive
        DigestUtils.sha1(stream); // Sensitive
        DigestUtils.sha1(str); // Sensitive
        DigestUtils.sha1Hex(data); // Sensitive
        DigestUtils.sha1Hex(stream); // Sensitive
        DigestUtils.sha1Hex(str); // Sensitive

        DigestUtils.sha256(data); // Sensitive
        DigestUtils.sha256(stream); // Sensitive
        DigestUtils.sha256(str); // Sensitive
        DigestUtils.sha256Hex(data); // Sensitive
        DigestUtils.sha256Hex(stream); // Sensitive
        DigestUtils.sha256Hex(str); // Sensitive

        DigestUtils.sha384(data); // Sensitive
        DigestUtils.sha384(stream); // Sensitive
        DigestUtils.sha384(str); // Sensitive
        DigestUtils.sha384Hex(data); // Sensitive
        DigestUtils.sha384Hex(stream); // Sensitive
        DigestUtils.sha384Hex(str); // Sensitive

        DigestUtils.sha512(data); // Sensitive
        DigestUtils.sha512(stream); // Sensitive
        DigestUtils.sha512(str); // Sensitive
        DigestUtils.sha512Hex(data); // Sensitive
        DigestUtils.sha512Hex(stream); // Sensitive
        DigestUtils.sha512Hex(str); // Sensitive
    }
}

See